Data breach events have been emerging in endless stream in the nowadays world of Internet. Information security problem is being tested to its limits. Many sites start to use SSL server certificate to verify identity and encrypt traffic as well as avoid the danger of phishing sites and data breach. SSL server certificate is issued by certificate authorities (CA), which are trusted third-party responsible for the issuance and management of SSL server certificate.

There are several hundred trusted CA in the world. Any one of them has the right to issue valid SSL server certificate for your site domain. However, most people are not aware of the fact that some of the CA systems may have loopholes which can lead to fake SSL certificates flowing in the Internet and posing threats upon it.

Forgery events of SSL server certificate in recent years

Last year, Google found Symantec had issued a pre-signed certificate for the domain of Google without Google knowing it. It was not the first time for such a thing happened. Authorities of some CA have been abused or used in a false way to issue fake SSL server certificate. Such actions have put the privacy of millions of netizens in danger.

In March 2011, some hacker intruded into Comodo and stole nine SSL server certificates in seven web domains in total including mail.google.com, addons.mozilla.org and login.yahoo.com. In the same year, Netherlands CA DigiNotar was intruded by hackers and a large number of fake certificates were issued. Because of these fake certificates, millions of users have been attacked by middlemen. The file leaked by Snowden revealed that the National Security Agency has used some of the fake SSL certificates issued by some CA to intercept and crack lots of HTTPS encrypted network sessions.

SSL server certificate transparency promotion

Events of DigiNotar, Comodo and Symantec are our wake-up calls and the end of era of blind trust upon CA as well. Then how can you find out whether there is fake SSL server certificate pointing to your domain is issued to other people or used by attackers?

An effective method is to ask CA to timely publish the information of issued certificates, which in other words is to promote certificate transparency so that we can promptly determine the authenticity of certificate by comparing the data. In 2013, Google initiated the project called Certificate Transparency (CT), which aimed to provide an open system of audit and monitoring that allows any domain owner or CA to determine whether certificate is falsely issued or used maliciously and thereby enhance the security of HTTPS websites.

CT project requires CA to disclose data of every digital certificate they issued and record it in the certificate log. It is worth noting that certificate transparency project does not replace the traditional CA-based identification verification procedures while it just gives an inquiry way to make sure your certificate is unparalleled.

Certificate transparency will allow people to quickly identify the digital certificate which is falsely or maliciously issued and avoid possible security problems like middleman attack. Earlier this year, certificate transparency system and monitoring services have assisted the security team of Facebook to detect several fake certificates of fb.com subdomain in advance.

Chinese CA WoSign closely follows the international advanced technology and has successfully upgraded PKI/CA system to support Certificate Transparency as early as in August 2015. It is the only domestic CA and the earliest one that supports the latest specifications of Google CT.